Skip to content

Commit

Permalink
x/crypto/ssh: fix bounds check in parseString
Browse files Browse the repository at this point in the history 
Fixes golang#11348

Change-Id: If083744343256a2a53eb813411ba0c9a359d6dbd
Reviewed-on: https://go-review.googlesource.com/11332
Reviewed-by: Adam Langley <[email protected]>
  • Loading branch information
@ebfe @agl
ebfe authored and agl committed Jun 27, 2015
1 parent f1b99bc commit cc04154
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 3 deletions.
7 changes: 4 additions & 3 deletions ssh/messages.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -484,11 +484,12 @@ func parseString(in []byte) (out, rest []byte, ok bool) {
return
}
length := binary.BigEndian.Uint32(in)
if uint32(len(in)) < 4+length {
in = in[4:]
if uint32(len(in)) < length {
return
}
out = in[4 : 4+length]
rest = in[4+length:]
out = in[:length]
rest = in[length:]
ok = true
return
}
Expand Down
10 changes: 10 additions & 0 deletions ssh/messages_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,16 @@ func TestBareMarshal(t *testing.T) {
}
}

func TestUnmarshalShortKexInitPacket(t *testing.T) {
// This used to panic.
// Issue 11348
packet := []byte{0x14, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0xff, 0xff, 0xff, 0xff}
kim := &kexInitMsg{}
if err := Unmarshal(packet, kim); err == nil {
t.Error("truncated packet unmarshaled without error")
}
}

func randomBytes(out []byte, rand *rand.Rand) {
for i := 0; i < len(out); i++ {
out[i] = byte(rand.Int31())
Expand Down

0 comments on commit cc04154

Please sign in to comment.